You can also read my blurb below - ie how I came to the fact that the fact that upstream started to ship vsftpd section (versions 0.6.2 and 0.7.1) which were different from my previously Debian shipped, and it slipped through my hands.
ok - fix is needed. Could you please verify that next version works ok for you: http://itanix.rutgers.edu/rumba/dists/sid/perspect/binary-all/net/fail2ban_0.7.5-3~pre1_all.deb > 2006-12-18 10:19:20,153 fail2ban.filter : INFO Added logfile = > /var/log/auth.log > 2006-12-18 10:19:20,154 fail2ban.filter : INFO Set maxRetry = 3 > 2006-12-18 10:19:20,156 fail2ban.filter : INFO Set findtime = 600 > 2006-12-18 10:19:20,157 fail2ban.actions: INFO Set banTime = 24600 > 2006-12-18 10:19:20,159 fail2ban.filter : INFO Set failregex = vsftpd: > \(pam_unix\) authentication failure; .* rhost=(?P<host>\S*) > 2006-12-18 10:19:20,161 fail2ban.filter : INFO Set ignoreregex = > > 3. log lines which signaled failed attempt to login in vsftp > Thu Dec 21 07:10:59 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client > "60.18.168.138" > Thu Dec 21 07:11:00 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client > "60.18.168.138" > Thu Dec 21 07:11:01 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client > "60.18.168.138" (x 100) > Thu Dec 21 06:02:02 2006 [pid 22054] [Administrator] FAIL LOGIN: Client > "60.18.168.138" > Thu Dec 21 06:02:04 2006 [pid 22054] [Administrator] FAIL LOGIN: Client > "60.18.168.138" > Thu Dec 21 06:02:05 2006 [pid 22054] [Administrator] FAIL LOGIN: Client > "60.18.168.138" (x 100) As you can see vsftpd filter looks for lines of format vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S*) whenever yours (which came from auth.log ie syslog or from some other custom file?) are quite different and don't bear any vsftp sign (besides pid # which probably belongs to vsftpd) Surprisingly enough none of filters shipped with fail2ban was crufted for such log line. The question now is how far you diverged from stock configuration in your vsftpd setup. I've installed vsftpd on my own box (running unstble with vsftp 2.0.5-2). > > I assume that you use stock config files (besides that custom jail.local > > with enabled vsftpd section) > Yes, that's right -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555]
pgppXAJNvEfhS.pgp
Description: PGP signature

